John McAfee (yes, him) on security and Android

John McAfee believes you need to either fight for your privacy or risk extinction.

A last minute change to the schedule at the Big Android BBQ this year looked almost like a joke on behalf of the event staff this year, but sure enough on Thursday afternoon a room at the Hurst Convention Center overflowed with people eager to hear the one and only John McAfee — namesake of the ubiquitous software suite — talk about users paying closer attention to personal security and being aware of just how important privacy is.

The core of the talk was a focus on Google not taking responsibility for apps that request far more permissions than they need, and users installing apps without much consideration for what those apps have access to. While several parts of McAfee's platform seemed out of date, that didn't stop him from pushing out his larger message.

According to McAfee, those who are unable to adapt to the technology in front of them and accept privacy as a personal responsibility are eventually going to find themselves removed from the gene pool. It's a strong message, and especially with Android 6.0 being delivered all over the world this week merited a few follow-up questions.

So we sat down with McAfee to get some more details.

What do you think is the best out-of-the box solution for permissions management?

JM: Any permission that is not necessary to the function of the application is excessive, is it not? If you're a flashlight app, you need access to the flash and nothing else. If you're a Bible-reading app, you need access to the speaker. What we need is 10 people to look at all the new apps submitted to Google Play and asking why those apps need access to permissions that seems excessive.

It's Google's problem, they're the geniuses. They're the techies.

So you think Google should act as a sort of bouncer for apps that are asking for more than they need?

JM: It's their Google Play! They are the ones making money off of it. I should expect, if Google is an established and reputable company, that if I download an app from Google Play they will have validated that this thing is not asking for excessive permissions. If it is, why? Isn't that the question? If it's excessing, you're doing something devious. What are you doing with that data? Why do you need access? If you tell me why, I can make a decision. Google should be paying for that, not me.

With Runtime Permissions in Android M, none of that information can be accessed until you agree to the individual permissions.

JM: But here's the problem: We all say yes. It's just like Terms of Service. We're users. What do we know? The app says it needs access to my emails, I don't know. Not enough people are technical enough to analyze whether that's a sensible thing. It's Google's problem, they're the geniuses. They're the techies. So, no, I don't care about the runtime stuff. If they aren't doing runtime checks, then all of the Google execs should be in jail. If an app is allowed to gain access to more than it says it wants access to, go straight to jail. We need more than that, and the more is looking at the app and using some common sense. If it's a game, why does it want to read my text messages? They need to call the developer and find out why, and if the answer is unreasonable they need to go home and fix it.

I feel like you would also run into some Terms of Service behavior in an explanation environment. Is the problem that not enough people are asking why when looking at apps?

JM: No one is asking that question. I'm asking everyone to ask that question. Nothing in life is free, and if you think there is something free in life you've missed the point somewhere along your path. The things that are projected as free, you're paying four or five times the market price in some other way. They're coming at you from all sides. If nothing is free, wouldn't it be better that we paid a dollar for that app and knew we were safe? Why don't we go back to that old formula where you get what you pay for? Is this game worth $4? My friend says it is. Just pay the money, clear the slate, and then don't worry about what insidious things your frozen free fall is doing behind your app. This is the direction we need to go, or we will be living in chaos, I promise you. Why? The app world is exploding at a horrendous rate, and if we don't put some controls in place the app developers will rule the world and we will become the slaves. We won't even know how it happened.

If we don't put some controls in place the app developers will rule the world and we will become the slaves.

We'll wake up one day and an app developer will say "Hey, we own your house now." Well, how did that happen? "Well, it's a complex process. Here's the court order. Move out." This is not beyond the realm of possibility. All I'd have to do is unionize the app developers. Tell them to stop fighting one another, stop fighting over pennies and start looking at how to get dollars or hundred dollars instead. You've got a world power that has no locale, that has no recourse if someone wants to slap them around. We're headed in a bad, dangerous, insidious direction if we do not realize the state we're in. It's Pandora's Box. It's a beautiful little box, and when we opened it, smartphones came out. It's everything I've ever wanted. Entertainment, communications, computer, memory, photo history, everything. Right off the bat, be afraid. This one thing is the most insecure place on the planet, and we carry it with us.

You recommended using CyanogenMod during your presentation?

JM: Yeah! So, here's the steps. If you're an extremist like me, you realize that your phone is completely unsafe. I use it for deception more than anything else. You can't count the number of emails and texts and phone calls that come from this thing, which are total garbage. They say I'm coming here, or that I'm leaving Texas, or that I'm going to Hong Kong. It's difficult to filter through to find the truth. It's an old spy technique. In fact, I have an old Yahoo email account that had 30 hackers who lived in that account, and they basically did whatever they wanted. Why? Because I would have secret code in my own email so my people could tell when an email was really from me. I couldn't keep the hackers out, so finally I talked to this senior one, who was a member of Anonymous, and they were just doing this for fun to harass me. Finally I was like "look, I'm going to leave this account unless you create order" and all the people who were creating havoc were thrown out. They were using it for their own fun and I could safely use that email account again. Why? Because there was so much garbage in it, how are you going to find out which one is me?

This smartphone is the entry point, it's the opening of Pandora's Box. The demons that fly out through this thing will never go back in.

The next extreme is to throw your smartphone out and switch to a flip phone every couple of days. It's not that expensive, but pretty extreme.

Outside of that, you can try out apps like my own Dvasive Google Play link, which locks everything down for you. You can selectively lock your microphone, WiFi, Bluetooth, etc and that actually works. The problem is people eventually stop using it because they go to a meeting and lock everything down, but it's tedious to do this over and over again throughout the day. They stop using it because it's an extra step. Those people are the ones that evolution is going to remove from the gene pool, because if you don't care enough about safety and security, the gene pool has a way of fixing that.

There's probably a way to automate a lot of that.

JM: Sure, but not all of it. It's easy if you understand the risks you take by not doing it — the brain's self survival mechanism overrides the inconvenience. You lock your phone down, have your conversation, and unlock when you're done. It takes a little work and it takes getting used to.

So that's one level. The last level is the folks who think they have nothing to hide and don't care about security. Again, we're in that part of the gene pool that's gonna get the boot because we all have something to hide. Everyone has something to hide from someone. Maybe not the Government, but from your parents, girlfriend, boyfriend, someone. You have something to hide and if you don't understand that you need to be removed from the gene pool. Smartphones are dumbing us down anyway. Our intelligence is slowly being reduced. Most people don't even know their best friend's phone number anymore. I used to know everyone's phone number on the tip of my tongue but not anymore. The brain no longer needed to hold that information so it doesn't. Pretty soon the brain is going to atrophy and over generations we will become very stupid but very content.

Anyone who doesn't look at smartphones and see that this is the environment they live in now will be eaten, and their genes will not survive.

The smart ones among us are building artificial intelligence, and at some point it will become aware enough to say "Jesus Christ, I'm not working for these pricks anymore. They can become my pets. They're nice, but I'm going to feed them three times a day and get them out of my way." And we will be the pets of the thing we created. That sounds like some science fiction fantasy, but it's in the realm of possibility.

This smartphone is the entry point, it's the opening of Pandora's Box. The demons that fly out through this thing will never go back in. We'll learn to live with them and survive, but those who don't are in that part of the gene pool where when it's time to wipe the slate clean they won't be needed. Evolution is the survival of the fittest. That means those who can adapt to the environment with survival and reproduction. Anyone who doesn't look at smartphones and see that this is the environment they live in now will be eaten, and their genes will not survive.

The guy is bad news. He has little to no credibility with me. Why he isn't in jail when he has been running from one country to the next in order to avoid legal questioning and inquiry into very suspect situations he was asked to clarify. Yet has has the gonads to say that he believes Google execs should be in jail for much minor reasons is the epitome of irony. And, he's running for President http://money.cnn.com/2015/09/08/news/john-mcafee-for-president/index.htm... ? Now I've heard it all.

Truth is, we take our money, our property, our identity, our documents out of a physical secure place and spread it out on the Internet where sh&t can happen.

My biggest concern is that I always kinda assumed Google protects us within a legal framework from rogue developers [ forgetting for a moment what Google itself can do]. However permissions are phrased or confusingly requested, common sense would prevail if it ever got to court. Now I am less and less sure.

Mobile is dominated by just a few big companies. Not one of them puts users first, they just farm them like a blasted crop. No wonder these system leaves users vulnerable to smaller crooks and governmental spies.
John himself is a self publicising nutcase - why give him airtime?

John McAfee is a brilliant guy but is also a bit out there on the fringe of sanity. Back in 1984 he was just starting his original anti-virus business and I was working at an aerospace company as a PC and network technician. John McAfee wasn't at a point where he had a full fledge anti-virus product yet but he had the basics in place so he put it up online for download to create interest in it. Anti-virus software was a very new concept back in 84 so a lot of the networking forums of the time were all a buzz about it. I downloaded it to see what it was all about and it was quite rudimentary when compared to modern day AV software. Upon scanning the hard drive of the test pC I installed it on, it alerted to one of its own files as being a virus. I was very curious about this and the text document that came in the zip file had a business number to call if you had questions so I gave it a call. I was quite shocked to discover that that number rang on a phone in his garage and he was the person answering the phone (It was a one person operation back then). When I explained to him what happened and wanted to know if this was something to be concerned about, I got a very technical, brilliant and animated answer that took about 30 to 40 minutes. After our conversation ended and I hung up the phone my first thought was, "this guy is really brilliant". My second thought was, "this guy might very well be slightly crazy". I guess some things never change.

Wow, as the other guy said great story. I was only 2 in 84 so I don't have much to contribute. My first dealings with the WWW date back to an ancient 94-95 and Compuserve, AOL, and a local BB my library ran. But this guy is nuts. Gene pool?

Oh and wasn't this the same guy living as an expat in some Asian country as a drug lord or something and having young girls, etc if you know what I mean. He's a sick dude even if he is brilliant. And this is the first time in history I've ever seen anyone use a gene pool discussion in relation to computer software. Now the biggest and baddest person may stay in the gene pool yes, but the one who doesn't use special privacy methods is going to get knocked out because of computer software. Wow, this guy is on a new level of high. I think the police in that country were after him for murder too? Am I remembering wrong?

Also I have never used antivirus software, EVER! If you use common sense you don't have to. I run a malwarebytes scan every few months and I only just started using Windows Defender as its pretty lightweight an unobtrusive. If you know what you're doing just MyDefrag, Malwarebytes, CCleaner and the Windows Defender should be all you need to maintain a virus free, fast running, low resources computer.

Let us listen or read the message rather than the messenger.The guy makes sense in a lot of what he says and we'd take it differently if someone else said it. It really is ridiculous the permissions some of these apps ask for. Google being a part of those that want to collect any bit of info they can is short here to set the standards. Google should have implemented the option to grant or refuse certain permission long ago but that would also affect them so they just really can't. The flashlight example is just the simple one everyone on AC can relate to, but there are many others. I don't have 6.0 on my N6 yet ( and I don't want to flash, it's getting old) so when I see an app asking things they don't need I just uninstall the app.

He does say some pretty good stuff if you can take him seriously now. He's not wrong about a lot of this. Brain atrophy? I agree there. The fact that you need to take some extra steps for safety? I agree here too. Makes me want to secure myself a little more. With that said, the irony here is palpable hahaha.

I do believe that Google needs to be doing more and someone at Google needs to be looking at the the permissions (when they change) more than they are:

(a) Some apps read SMS to receive a code of some type or have other ONCE OFF behaviours, those apps should be granted the permission for a period of time (not forever).

(b) The developer knows why they need the permissions, they should also (in code) be REQUIRED to justify those permissions so that Google and us (they get displayed to us along with system description) can make a decision (optionally hacking it into the play store description is not good enough). No need to go and ask the author, if the explanation is not good enough the app gets rejected.

All good suggestions.
Personally I like the idea of very specific permissions. Grabbing certain attributes instead of the whole class. Now whether or not that will open up any other holes - I'm not sure.
What would a virus writer exploit - the OS or the independent developers code - or access to the OS - and manipulate it's permissions already granted? Or the app being dirty from the beginning...
I'm still hung up on 'permissions' being the sole problem. Time for a OS update.

I think people who don't take their privacy seriously are going where John says they will. By not caring, they allow more and more control over their lives. You can decide who you think will have that control, but some one will and it won't be the person that didn't care to begin with.

Fundamentally I think he is right. His comments are basically deigned to 'slap you on the back of the head'...
I think that there is a lot of developers that have good intentions and have to make some kind of money to stay alive - but open up security risks - in trying to earn cash.
The general user public is - really - naive on how things work. The general 'user' expects someone with a higher knowledge to handle all the security risks before it gets to them.

I don't think he's too whacked. He makes some good points. The problem is that the media has brainwashed us into thinking that we have nothing to hide and our phones really are safe. There is next to no word of government capabilities of hacking into our phones and monitoring what we say and do. 1984 is not far around the corner. Using NFC tags to lock and unlock our devices could be useful. Or just get a more secure device than the usual.

Probably the biggest concern I'd think is the number of apps people install that are just left there, unchecked and unused... and bloatware, it's nice to see Unlocked versions of phones and Google making it's own apps removable.

Just counted how many I have, 61. Of those 61, 5 cannot be removed or turned off (Sprint and Samsung) and about a dozen of them are system apps, would I mind going through each one of those and reviewing the permissions once or anytime new permissions were added? Nope. Doing it once is not a hassle.

I'm sure most people though have hundreds of apps and just check Yes through everything. Would it be nice if Google was checking on permissions for apps for us? Yup, but how about a little bit of personal responsibility?

Dude seems a bit heated on the issue and apparently everyone is going to "be removed from the gene pool" while worshiping our robotic overlords. He makes good points but it seems like he should probably put his tin foil hat back on his head and go back to living in his bubble in the mountains...

He is basically advertising his security service.
Get a Chromebook, and you don't need McAfree.
As for security, so long as you aren't a terrorist then there isn't too much stress over the government getting your info.

True words. I'm a Chromebook user. And I'm planning on getting the BlackBerry Priv when it comes out. I'll be reading which permissions apps have before I download them to my new device. I'm starting to take security more personally. I used to be a "I have nothing to hide" kind of guy. But John is right, we all have something to hide even if it's not from the government.

Do you even have a clue as when was the last time this guy was associated with McAfee anti virus? Make use of the Google search on your Chromebook once in a while when it. You'd be surprise what you can learn.

Who the he77 looks at ads when you have the flashlight app on? You have it on because you need to find something or walk in a dark place. He has some good points but he is walking the very thin line between genius and twisted. He seems to fall over on both sides.

I've started social media shaming developers that don't respond about excessive permissions. It's not super effective either, but at least getting the word out will help others avoid the app and hopefully make developers eventually rethink their strategies.

Correct me if I'm wrong, I don't think he owns or is even on the board of the company anymore and had been gone for a long time. Isn't Mcafee owned by Intel now?
But that's every single anti virus software. They do so much that it's hard not to use up system resources.

This is the guy wanted for murder investigation still in Belize? Or did he just buy his way out? Cause I know he snuck out of there after it happened and he was the #1 person of interest and it was never resolved.

I agree. He makes some valid comments about security and how Google should monitor these permissions, but the gene pool stuff was well past the border on stupid and was venturing into insanity. Hard to see how anyone could actually take him seriously.

The AT&T HTC Desire Eye I bought for my wife didn't come with a flashlight app, but in that instance I just made an .apk of the flashlight app from my M8 and installed that instead. Point being some phones still don't seem to ship with flashlights.

It's not entirely puzzling... they want it for ad serving and probably ad tracking. I only would use an app if it only had the camera permission. Until L. Though, I wish it had some power setting options, 90% of the time, it's way too bright

Totally agree. The dude(McAfee) kills a man flees the country now want to give advice. A general lesson is to only value someone's opinion if u value there lifestyle. This dude need to crawl under a bridge and eat that troll bacon.

I dont want to take any risk o m android phone and recently a lot of people have tried to peep into my phone online and offline both ways as it has the feature to hide any file beat its image or video i can hide it from other people and also got app lock as well.